Zion Boggan

In-depth vulnerability research, detection engineering & applied cryptography.

● Open to security-research & detection roles
GitHub · LinkedIn · Email
← Research notebook
Crypto soundness

Finding 08: Asymmetric EdDSA Uses Unsalted Commitment

Zion Boggan · April 11, 2026 · coordinated disclosure

Severity: P3 (Medium) → possibly P4 given R entropy

Summary

commit_to_r() uses plain SHA256(id || index || player_id || R) without random salt. Commitment is deterministic, same inputs always produce same output. The symmetric EdDSA path correctly uses commitments_create_commitment_for_data() with 32-byte random salt.

Location

  • File: src/common/cosigner/asymmetric_eddsa_cosigner.cpp, lines 59-70

PoC Verified

Vulnerable: 10000/10000 collisions (100.0%) - ALL identical!
Correct: 0/10000 collisions (0.0%)

Practical Impact

Low, R has 253-bit entropy making brute-force infeasible. But the commitment is not computationally hiding per cryptographic definition, and the inconsistency with the symmetric protocol suggests an oversight.

Remediation

Add RAND_bytes salt before the SHA256 hash inputs.

Source · github.com/zionsworking/security-research-notebook · writeups/fireblocks/08-eddsa-unsalted-commitment-P3.md